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Hybrid systems, which combine discrete and continuous dynamics, require quality modeling lan¬ 
guages to be either described or analyzed. The Concurrent Constraint paradigm ( ccp) is an expres¬ 
sive declarative paradigm, characterized by the use of a common constraint store to communicate 
and synchronize concurrent agents. In this paradigm, the information is stated in the form of con¬ 
straints, in contrast to the variable/value style typical of imperative languages. Several extensions of 
ccp have been proposed in order to model reactive systems. One of these extensions is the Timed 
Concurrent Constraint Language (tccp) that adds to ccp a notion of discrete time and new features to 
model time-out and preemption actions. 

The goal of this paper is to explore the expressive power of tccp to describe hybrid systems. We 
introduce the language Hy -tccp as a conservative extension of tccp, by adding a notion of continuous 
time and new constructs to describe the continuous dynamics of hybrid systems. In this paper, we 
present the syntax and the operational semantics of Hy-tccp together with some examples that show 
the expressive power of our new language. 


1 Introduction 

In the last years, concurrent, reactive and hybrid systems have become essential to model a large number 
of modern applications. Often, systems of this kind are classified as critical, i.e., an error in the software 
can have tragic consequences in terms of human lives or money. This is the case of avionic or automotive 
software, e-banking, or financial applications. 

Description, verification and analysis of concurrent and reactive systems are very hard tasks, due 
to the concurrent execution of different agents and to issues of synchronization. In the case of hybrid 
systems, these phases are even harder due to the combination of discrete and continuous dynamics and 
the presence of real-valued variables. Therefore, it is important to develop high-level description lan¬ 
guages that allow these systems to be modeled with enough precision and at the same time that ease the 
application of formal methods techniques. 

Many formalisms have been developed to describe concurrent systems. One of these is the Con¬ 
current Constraint paradigm {ccp) fTOl , a simple but powerful model for concurrent systems. It differs 
from other paradigms mainly due to the notion of store-as-constraint that replaces the classical store - 
as-valuation model. In this paradigm, the agents running in parallel communicate by means of a global 
constraint store. The Timed Concurrent Constraint Language |0 (tccp in short) is a concurrent logic lan¬ 
guage obtained by extending ccp with the notion of time and a suitable mechanism to model time-outs 
and preemptions. 
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In this paper, we present the language Hy -tccp\ an extension of tccp over continuous time. Hy- 
tccp is a non-deterministic and synchronous language that incorporates continuous variables that follow 
dynamics determined by an ordinary differential equation (ODE). Its declarative nature facilitates a high 
level description of hybrid systems in the style of hybrid automata |f8j] ■ Furthermore, its logical nature 
facilitates the development of semantics based program manipulation tools for hybrid systems (verifiers, 
analyzers, debuggers...). Parallel composition of hybrid automata is naturally supported in Hy -tccp 
due to the existence of a global shared store and to the synchronization mechanism inherited from tccp. 
By defining Hy -tccp, we show that the extension of a declarative constraint language with continuous 
dynamics is not only possible, but it leads to a powerful and expressive language able to describe complex 
hybrid systems. 

In this paper, we have only considered the modeling of multi-rated |5l hybrid systems, i.e., systems 
whose continuous variables follow a constant dynamics. However, in the future we aim to relax this 
restriction in order to describe more complex dynamics such as those defined by rectangular sets. 

The paper is organized as follows. In Section [2] we briefly introduce the language tccp and the 
essential aspects of hybrid automata. In Section [3} we introduce the new language Hy -tccp together with 
its operational semantics, and we describe the new features that have been added to tccp in order to 
model hybrid systems. Section |4] contains some examples to highlight the expressive power of Hy -tccp. 
Section [5] presents some related work and, finally, Section [6] concludes the paper and outlines future 
work. 

2 Background 

In this section we present some background to clarify the contributions of the paper. In Subsection 12.11 
we introduce the language tccp, the starting point for the definition of Hy -tccp. In Subsection 12.21 we 
introduce the basic notions of hybrid automata, which is the formalism commonly used to describe hybrid 
systems. 

2.1 The Timed Concurrent Constraint Language 

The Timed Concurrent Constraint Language {tccp, (2)) is a ti me extension of ccp. It adds to ccp the 
notion of time and the ability to capture the absence of information. With these features, one can specify 
behaviors typical of concurrent and reactive systems. 

The computation in tccp proceeds as the concurrent execution of several agents that can monotoni- 
cally add constraints in a global store or query information from it. As are all the languages from the cc 
paradigm, tccp is parametric w.r.t. a cylindric constraint system. 

DEFINITION 2.1 (CYLINDRIC CONSTRAINT SYSTEM lO) A cylindric constraint system is an alge¬ 
braic structure of the form: 

C = (C, <, a, true, false, Var, 3) 

such that: 

1. (C, <, A, true, false) is a complete lattice where a is the least upper bound (lub) operator, and true 
and false are, respectively, the least and the greatest elements ofC. We often use the inverse order 
i- (the entailment relation) instead of < over constraints. Formally \/c,d zC c <d o d c. 

2. Var is a denumerable set of variables. 
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3. For each element x e Var, a function (also called cylindric operator) 3 X :C -* C is defined such that, 
for any c. d e C the following axioms hold: 

(a) c i- 3 x c 

(b) ifc\-d then 3 x c i- 3 x d 

(c) 3 x (c a 3 x d) = 3 x c a 3 x d 

(d) 3 x (3 y c) = 3 y (3 x c) 

The entailment relation h intuitively states that if c contains more information than d then c \- d. The 
lub operator a merges the information from two constraints (e.g. x > 0 a x > 5 Ay = 9 := x > 5 a y = 9 and 
x = 0 a a' = 7 .-false). The cylindrification (or hiding) operator is defined in terms of a general notion 
of existential quantifier. It is used to project away information about the considered variable in order to 
make it local to the constraint and hide it from the context (e.g. 3 x (x = 0 Ay = x/\z >7) := y = 0 az > 7). 

The tccp global store is monotonic in the sense that once a constraint is added to the store, it cannot 
be removed. Thus, given the store x > OAy > 2 we can add the information x > 5 and obtain the store 
x > 5 Ay > 2. Furthermore, by adding i = 0we obtain the inconsistent store false since the constraint x = 0 
is in contradiction with the information already present in the store. 

The syntax of tccp agents is given by the grammar: 

A ■■■■= stop | tell (c) | A || A | 3 xA | £" =1 ask(c, ) -» A | now c then A else A | p{x) 

where c,c\,...,c„ are finite constraints in C, p is a process symbol, and x e Var x ■ ■ • x Var. A tccp program 
is a pair D .A, where A is the initial agent and D is a set of process declarations of the form p(x): -A. 

The operational semantics of tccp CO is described by a transition system T = {Conf ,-*■). Configura¬ 
tions in Conf are pairs (A, c) representing the agent A to be executed in the current global store c. The 
transition relation ->■ £ Conf x Conf is the least relation satisfying the rules in Figure [Q Each transition 
step takes exactly one time-unit. The notion of time is introduced by defining a global clock which 
synchronizes all agents. 

As can be seen from the rules, the stop agent represents the successful termination of the computa¬ 
tion. The tel I (c) agent adds the constraint c to the current store by means of the a operator and then stops. 
It takes one time-unit, thus the constraint c is visible to the other agents from the following time instant. 
The choice agent Y!}=\ ask(c,) -> A,- consults the store and non-deterministically executes (at the following 
time instant) one of the agents A; whose corresponding guard c ( - is entailed by the current store; other¬ 
wise, if no guard is entailed by the store, the agent suspends. The conditional agent now c then A else B 
behaves (in the current time instant) like A (respectively B) if c is (respectively is not) entailed by the 
store. This conditional agent is able to process negative information (lack of some information): it can 
capture when some information is not present in the store since the agent B is executed both when ->c is 
satisfied, but also when neither c nor -.c are satisfied. A || B models the parallel composition of A and B in 
terms of maximal parallelism, i.e., all the enabled agents of A and B are executed at the same time. The 
agent 3xA makes variable x local to A, to this end, it uses the 3 operator of the constraint system. More 
specifically, it behaves like A with x considered local, i.e., the information on x provided by the external 
environment is hidden to A, and the information on x produced by A is hidden to the external world. 
In the corresponding rule, the store 1 in the agent 3 ? xA represents the store local to A. This auxiliary 
operator is linked to the hiding construct by setting the initial local store to true, thus 3xA := 3 true xA. 
Finally, the agent p(x) takes from D a declaration of the form p(x) : -A and then executes A. 
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(tell(c), d) -»■ (stop, c Ad) 

(A, d) -> (A', d'}, d h- c 
(now c then A else B , rf) ->■ (A', rf'} 
(fi, d) ->■ (S', d'), dH- c 
(now c then A else B , rf) -» ( B ', r/') 
(A,d)^(A' 1 d l ) (B,d)^(B’,c') 

(A || fl,d) -» (A' || B',d' ac’) 

(A, l a 3y<j0 (5, 0 

(fix A. d) -»■ (3 ; 'x5, d a 3*/') 


31 < j <n.d\- Cj 
(£"= 1 ask(cj) -> A ; , d) -» (Ay, d) 
(A, d) -fi,d\- c 

(now c then A elsefi, d) ->■ (A, J) 
(Z?, d) -f,dv- c 

(now c then A elsefi, d) ->■ (6, J) 
(A, d)-»■ (A', d') (B,d) + 
(A || fi, d)-+(A' || B, d') 
(B || A,d)-*(B || A',d') 

p(x) :-AeD 
{P(x),d) -> (A, d) 


Figure 1: The transition system for tccp. 

2.2 Introduction to hybrid automata 

Many real systems have complex behaviors and evolve following both discrete and continuous dynam¬ 
ics. These systems are called hybrid systems. For instance, a cooler system is a hybrid system: it has 
two discrete states (on or off) that are chosen according to the temperature of the room, which evolves 
continuously over time. 

Hybrid automata f8| are an extension of finite-state automata used to describe hybrid systems. Intu¬ 
itively, the discrete behavior of a hybrid automaton is defined by means of a finite set of discrete states 
(called locations) and a set of (instantaneous) discrete transitions from one location to another. The con¬ 
tinuous behavior of hybrid automata is described at each location by means of some Ordinary Differential 
Equations (ODEs) which describe how continuous variables evolve over time ( continuous transitions). 

Definition 2.2 (Hybrid automaton) A hybrid automaton H is a tuple 

( Loc , T, E, X. I nit. Inv, Flow, Jump) 


where: 

• Loc is a finite set {loc i,.. .,loc n } of discrete states (locations). 

• 7 c Loc x Loc is a finite set of discrete transitions. 

• Lis a set of event names, associated with a labelling function A : T -> £, 

• X = {x \,..., x m } is a finite set of real-valued variables. The set X = {x \,..., x m } represents the first 
derivatives of the elements in X. In addition, the setX' = {x (,... ,x' m } represents the updates of the 
variables when a discrete transition takes place. In this section, we assume that discrete variables 
are continuous variables whose derivative is zero at all locations. 

• The functions Init, Inv and Flow assign predicates to each location loc e Loc. Init(loc) establishes 
the possible initial values for the continuous variables at location loc. Inv(loc) constrains the 
values of the continuous variables at location loc. Flow(loc) contains the differential equations 
describing the evolution of the continuous variables at location loc. 
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T> 26 T = 26 T < 30 



Figure 2: Hybrid automaton for the cooler system 

• Function Jump assigns to each discrete transition t cT a guard that must be satisfied in order to 
allow the transition to take place, and a reset predicate which updates the value and/or the flow of 
a continuous variables. 

EXAMPLE 2.3 Figure [2] shows a hybrid automaton modeling a cooler system. The automaton has two 
locations on and off and a continuous variable T storing the room temperature. When the automaton is 
at location on (the cooler is turned on) the temperature decreases at rate -0.5. When the location is off 
(the cooler is turned off) the temperature increases at rate +2.0. Transitions between locations represent 
the turning on or off of the cooler. These transitions are guarded with conditions. For instance, transition 
on-off takes place when the temperature is 26, while transition off-on takes place when the temperature 
is 30. 


A hybrid automaton behaves like a timed transition system (TTS), where each step is labelled either 
with a positive real value T (continuous transition of duration t) or with a (discrete transition). Let 
\X -*■ R] be the set of maps from X to R. An automaton state, called hybrid state from now on, is a pair 
(loc,v) e {hoc x [X -» R]), where loc e Loc is a location of the automaton, and v e [X -> R] maps each 
continuous variable to its current value. 

Let p be a predicate over X uX or X uX', then [p \ denotes all functions v e \X -*■ R] that satisfy p. 
DEFINITION 2.4 (Trajectories) Let H = (Loc, T, E, X , lnit, Inv , Flow flump) be a hybrid automa¬ 
ton. We consider two types of transitions: 

Discrete transitions Let (loc,loc') € T, (loc,v) -+ a (loc',v'), iffv,v' e [X -* R], and (v,v') e [, Jump(t)]. 

Continuous transitions For each t e R + , we have (loc,v ) (loc,v') iff there exists a differentiable 

function f : [0, t] -*■ R"‘, /: [0, t] -*■ R" ! being its first derivative, such that: 

• m=v 

• f( t)=v' 

• Vt' e [0 ,t],/(t') e {Inv(loc)i 

• € iFlow(loc)] 

A trajectory is a (possible infinite) sequence of hybrid states such as (Iocq.Vo) (/oci,vi) 

... -*x n (loc n ,v„) -+x n ..., where for all i > 0, v/ e \lnv(locf)\ and A, e Ru{a}. 

It is worth noting that the system is free to select non-deterministically at each moment any enabled 
transition, either discrete or continuous. 

EXAMPLE 2.5 Considering the hybrid system in Figure [2], the following trajectory represents a possi¬ 
ble evolution of the automaton starting at hybrid state (on, 27): (on,21) -*-j (on, 26.5) ->7 (on, 26) -> ff 
(off, 26) —* 0.5 (off, 27) ^ 7.5 (off, 30) - CT (on,30)... ■ 
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3 Hy -tccp: an extension of tccp over continuous time 

In this section, we present the language Hy -tccp, which subsumes tccp and includes new agents in order 
to model the continuous behavior typical of hybrid systems in the style of hybrid automata. In contrast 
to tccp, in Hy -tccp we consider a notion of continuous time by means of a global continuous clock. 

Hy -tccp uses a tccp monotonic store (called discrete store) to model the information about the current 
location and the associated invariants of a hybrid automaton. Discrete transitions are modeled as instan¬ 
taneous transitions in Hy -tccp and they are used to synchronize parallel agents/automata. In summary, 
the features offered by tccp are used to model the discrete behavior of hybrid automata. However, hy¬ 
brid automata are characterized by the use of continuous variables whose values change following some 
ODEs. For this reason, the tccp store is extended by adding a component called continuous store. The 
continuous store is not monotonic, instead it records the dynamical evolution of the continuous variables. 

We distinguish the set of discrete variables Var, whose information is accumulated monotonically, 
and the set of continuous variables Var, whose values change continuously over time ( Var n Var = 0). 
Constraints in C are now defined over Var u Var. 

A continuous store is a function that associates a continuous variable with two real numbers: its value 
and its flow, which indicates how its value changes over time. In this work, we consider only ODEs of 
the form x = n with n e R. In the future, we intend to also consider ODEs of the form x e [n\ ,/i 2 ] with 
n\ ,?i 2 € K in order to model rectangular hybrid systems. 

We denote as C = [ Var ^(Rx R)] the set of all possible continuous stores, and as true and false the 
empty and the inconsistent continuous store, respectively. We denote with dom(c) <= Var the domain of c. 
Given ceC andx e dom(c), c(x) = (v, f) means that x has value v (denoted as c(x).v) and flow / (denoted 
as c(x).f). The binary operator a : C x C -> C merges the information from two continuous stores. In the 
case the same variable appears in both stores with different values or flows, then - merge is inconsistent. 
Given c,d e C: 


c a true = c c a false = false 

c a d - false if 3x e dom(c) n dom(d). c(x ) ± d(x) 

cAd-Xy. | A if Vx € dom(c) ndom(d). c(x) - dfx) 

|d(y) ifyedom(d) 

We define the operator 3 : Var *C -> C such that, given c e C and x e Var, %c deletes the information about 
x in c. 

Given c e C, x e dom(c) and v e R, we denote as c[v/x] the continuous store that is equal to c except 
for the value of x that becomes v. 


r / . {c(y) if y e dom(c),y + 

[r/x] = Ay. r 

[{v,c{x).f) if y = 


A Hy -tccp store is a pair (c, c) where c e C (discrete store) is a monotonic constraint store as in tccp 
and c eC (continuous store) is such that c a Avedom (c)( x = c(x).v) ± false, i.e., discrete and continuous 
store are consistent We denote as T the set of all possible Hy -tccp stores. We define the extension of 
the entailment relation h over Hy -tccp stores as i 1 : T x C such that given (c, c) e T and d e C, ( c , c)f i d if 
c A A«dom(c) ( x = c(x).v) i— d. In other words, a store (c, c) entails a constraint d if the discrete store c 

1 We assume that our underlying constraint system handles equality constraints. 
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merged with the projection of the current values of the continuous variables entails d in the underlying 
constraint system. 

Given z e M + we denote as (c, c T ) the continuous projection of the store (c, c) at time z: the values of 
the continuous variables are updated at time z, while the flows are unchanged: c T = Xy.c[n y /y] where y e 
dom(c) and n y = c(y).v + (c(y).f * z). For instance consider the store (x > 10, y >-> (2,5)}, its projection 
at time 3 is the store (x > 10, y (17,5)). We say that (c, c T ) is a continuous projection of (c , c) at time 
z that satisfies d (denoted as (c, c) ( c , c T }) if for all z' e [0, t] (c, cy jFd. For instance, the above 
projection satisfies y > 0: (x > 10, y >->■ (2,5)) -^ 3 >0 (x > 10, y (17,5)). 

The update operator o, given c.d e C such that dom(c) n dom(d) - {x\,... ,x n }, updates c with the 
information of d as follows: c <d ■- (3 Xlr .. >Xn c) a d. Note that it is impossible to obtain an inconsistent 
continuous store since the common variables are hidden from c and replaced by the new values and flows 
from d. 

In order to model the typical behaviors of hybrid systems we introduce two new constructs w.r.t. the 
syntax of tccp : change and ask. 

The agent change updates the current continuous store with a new value and/or flow for a given 
continuous variable. It roughly corresponds to the reset predicate of hybrid automata. 

Continuous transitions are modeled by the new construct ask(mv) that makes continuous variables 
evolve over continuous time while the invariant inv is satisfied. The tccp choice agent is extended by 
allowing the non-deterministic choice between discrete and continuous transitions in the following way: 

£"= i ask(c,) -> A + Y!j=\ ask(mvy). 

Here, the ask branches can be non-deterministically selected when the corresponding invariant invj 
is entailed in the current store. The continuous variables evolve over time while invj holds and until 
another ask branch is selected. 

The syntax of Hy -tccp agents is given by the following grammar: 

A :■■= stop | tell(c) | A || A | now c then A else A | 3 xA \ p{x) \ 
change(y,v,/) | £? =1 ask(c,-) -+ A + Z'j=i ask(mv ; ) 

where c, c,- and invj are finite constraints in C,y is a continuous variable in Vctr, v, f e M, p is a process 
symbol, x € VciruVar, x e (VaruVar) x x (VaruVar), n> 0 and m > 0. 

The operational semantics of Hy -tccp is described by a transition system T = (Conf,^- a ,->- x ). Con¬ 
figurations in Conf are triples (A, c, c) representing the agent A to be executed in the current extended 
store (c, c). In contrast to the tccp approach, the discrete transition relation Conf x Conf does not 
represent the passage of one time unit. Instead, it models a computational step which does not consume 
time but it is needed to synchronize the agents in parallel. The continuous passage of time is modeled 
by the transition relation ->- T c Conf x Conf where z e M + is a (strictly) positive real number that indicates 
the duration of the transition. In Figure |3] we formally describe the operational semantics of Hy -tccp. 
Wherever possible we will use the subindex A € M + u {a} to represent both kinds of transitions (discrete 
and continuous). 

Rule IR1I shows the effects of adding a constraint c e C to the current discrete store. In Rule IRli the 
agent change updates the continuous store d with a new initial value v and a new flow / for the variable 
y by using the update operator <. 

Rules lR2l and IR2’ I describe the non-deterministic choice behavior. Rule IR2I represents the discrete 
transition that is performed when one of the ask guards is entailed in the current store. In this case the 
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corresponding agent is executed in the next step. Rule lR2l models the continuous evolution of the system 
while one of the ask invariants holds in the store. After a continuous transition of duration z, the values 
of the variables in the continuous store d are updated while the discrete store is unchanged. At the end 
of that transition the non-deterministic choice is executed again allowing another discrete or continuous 
branch to be selected. In the case no guard or invariant holds this agent suspends. 

Rules lR3l IR3H lR4l and IR41 describe the behavior of agent now. This agent behaves as A if c is 
entailed by the constraint store, otherwise it behaves as B. 

Rule IR5l represents the parallel execution of two discrete transitions in terms of maximal parallelism, 
i.e., all the enabled agents of A and B are executed at the same time. Rule IR6I represents the parallel 
execution of two continuous transitions, note that their duration must coincide. Rule 1571 expresses the 
parallel composition of a discrete and a continuous transition. In this case, the discrete transition is 
executed before the continuous one. Rule lR8l states that when an agent is blocked, the other one performs 
its transition (discrete or continuous). 

In Rule IR91 the agent 3^’^xA makes variable x local to A. It behaves like A with x considered local, 
i.e., the information on x provided by the external environment is hidden from A by using the 3 operator, 
and, in the same way, the information on x produced by A is hidden from the global environment. The 
store (l, I) in the agent 3 V'^xA represents the store local to A. This auxiliary operator is linked to the 
hiding construct by setting the initial local store to (true, true), thus 3xA := fi ln «’ Jnu ’) x A. 

Finally, in Rule IRlOl the agent p(x) takes from D a declaration of the form p(x) -A and executes 
A. 

Let us formalize the notion of behavior of a Hy -tccp program P in terms of the transition system 
described in Figure [3] The small-step operational behavior of Hy -tccp collects all the small-step com¬ 
putations associated with P (in terms of sequences of Hy -tccp stores closed by prefix) for each possible 
initial store. We assume that subsequent continuous transitions are considered as a unique (maximal) one 
whose length is equal to the sum of all the subsequent transition lengths. For instance, a sequence of con¬ 
tinuous transitions of the form (Aq, cq, cf) -> T/ ... -> T(1 (A n , c n , c„) is considered as the unique transition 
(A 0 , c 0 , Co) -> T (An, c n , c n ) where X = £" =1 tJE 

DEFINITION 3.1 Let P = D .A be a H y-tccp program. The small-step (observable) behavior of P is 
defined as: 


B SS {D.AJ := IJ {(c 0 ,c 0 )-(ci,ci)-...-(c„,c„) | (A,c 0 ,c 0 ) ^ (AiHlHi) 
(co,c 0 )er 

^X 2 ■ • • ~*x n iAn,c n , Cn), VI < i < n. Xn e M + u {a}} u {e} 


4 Examples 

In order to show the expressivity of ny-tccp, we present some examples of hybrid systems described in 
this language. For each case, we present the ny-tccp code and the corresponding hybrid automaton. 

4.1 Cooler system 

In Figure 0] we model in Hy -tccp the cooler system introduced in Example 12.51 The initial state of 
the cooler is set to off and the temperature T initially has value 29 and changes with a rate of +2.0. The 
temperature value increases continuously over time (first ask) until the temperature is lower than or equal 

We assume that our system does not exhibit Zeno behaviors. 
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(tell(c), d, d) (stop, cAd, d) 

(chang e(y,v,f),d,d) -> CT (stop, d, d < (y » (v,/))) 

31 <k<n.(d, cl)^Ck 

(£”=i ask(c,-) ->Aj + Y!] =] ask(invj). d, cl) -> a (A k ,d,d) 

_ 3 1 < k < m, t e R + .{d, d) (d, d t ) _ 

(E"=i ask (c,) -* At + Yj™=\ ask(/nv j ), d, d) -> T (£" =1 ask(c,) -»■ A; + £'" =1 ask(invy), d, d T ) 

(A,d,d)^-x(A',d',d') AeM + u{a} (d, J)Pc 
(now c then A else B, </, J) (A', B', <B) 

(A,d,d)-/>x AeM + u{a} (d,d)h-c 
(now c then A else B , d, cl) -> CT (A, </, B) 

(B,d,d) -+x (B',d',d') AeMu{a} ( d,d)9-c 
(now c then A elseB, d, d) ->x (Bd ', <B) 

(. B,d,d)-f>x AeMu{a} ( d,d)9-c 
(now c then A else B, d , J) (B, g?, B) 

(A, <i, J) -+ CT (A', <B, J 7 ) (B, <7, rf) -> CT (B', d", d") 

(A || B, d,d)-+ a {A' || B',d'/\d",d'7\d") 

(A, d, d) (A, d, d') (B,d,d) (B,d,d r ) reM + 

(A ||B,rf,<7)- T (A || B, </, </') 

(A,d,d) (A',d',d') (B, d, d) (B, d, d") tel + 

" (A || B,d,d)^ a (A' || B,d',d') 

(A,d,d) -+x (A', d', d') (B, d, d)-/>x> A,A'eM + u{a} 

(A || B, d, d) ->x (A' || B, d', cl’) 

(B || A, d, d) -*x (B\\A',d',d') 

(A, /a3 x d, lA3 x d) -+x (B, l'> ?) ^ €R + u{a} 

(3 (G)xA, d, d) -*-x (3 Vd'hB, d a 3 X V, d a 3 x V) 
p(x )A e D 
{p(x), d, d) —*■ (j (A, (i, J) 


(Rl) 

(Rl’) 

(R2) 

(R2’) 

(R3) 

(R3’) 

(R4) 

(R4) 

(R5) 

(R6) 

(R7) 

(R8) 

(R9) 

(RIO) 


Figure 3: The transition system for Ity-toy;. 
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init3 St,T (tell(Sf = [off | _]) || change(7\29,+2.0) || tell(r >26 A T < 30) || cooler(S/, T)) 
cooler (St, T):-3St'( ask (St = [off | _] A T < 30) 

+ ask(Sf = [off | _] A T = 30) -+ (tell(Sf = [off | Sf']) || tel I (Sf' = [on | _]) || change(7\30, -0.5) || cooler(Sf , ,7’)) 
+ ask(Sf = [on | _] A T > 26) 

+ ask(Sf = [on|_] A T = 26) -> (tell (St = [on | Sf']) || tell(Sf' = [off | _]) || change(r,26,+2.0) || cooler(Sf',r))) 


Figure 4: Hy -tccp model for the cooler system 


to the value of 30. When the temperature reaches this limit, the cooler is turned on and the flow of the 
temperature changes from +2.0 to -0.5 (first ask). At this point, the temperature starts decreasing until 
it reaches the value of 26 (second ask). When this happens, the cooler is turned off and the flow of the 
temperature is changed again to +2.0 (second ask). 

It is worth noting that, due to the monotonicity of the discrete constraint store, streams (written 
in a list-fashion way) are used to model imperative-style variables 0. A stream is a list of the form 
St = [on | 5/] where the head on represents the current value of St, and the tail St' is a free variable that 
will be instantiated with the future values of St. Observe that we use the global constraint T >26aT <30 
to add a global invariant of the cooler system ensuring that the temperature always stays in the interval 
[26,30]." 

The following partial trace represents the small-step behavior (see Definition 13. II ) of cooler (St,T) 
starting from the initial store (St= [off | _]aT >26 aT < 30. T » (29. +2.0)). This means that, initially, the 
cooler is turned off and the temperature has a value of 29 and a flow of +2.0. Moreover, the temperature 
is constrained to be between the values 26 and 30. Observe how the values on and off are accumulated 
in the stream St in order to model the evolution of the state. The current state corresponds to the last 
value added to the stream. We use _ to indicate that the tail of the stream St is a free variable that can be 
instantiated with future values. The continuous variables evolve over time until another discrete transition 
is executed. The repeated equal stores occurring in the trace correspond to the discrete computational 
steps taken in Hy -tccp (as well as in tccp ) to evaluate one of the ask guards or to perform a procedure 
call. These steps are necessary to synchronize parallel agents. For sake of clarity, we explicitly indicate 
the kind of transition occurring between two states (we write a for discrete transitions and the duration 
T e M + for continuous ones). 

{St = [off I .] a T > 26 a T < 30, T w (29, +2.0)) - 0.5 {St = [off | .] a T > 26 a T < 30, T w (30, +2.0))-<x 
{St = [off | _] a T > 26 a r < 30, T ^ (30, +2.0) )- a {St= [off, o,i\_]aT >26aT <30,T » (30, -0.5))-„ 

{St = [off,on | _] A T > 26 A T < 30, T « (30, -0.5)) -g {St = [off, on \ _] A T > 26 A T < 30. T -» (26, -0.5 ))- a 
{St = [off,on\ _] aT > 26 aT <30, (26,-0.5))-a {St = [off,on,off \ .] a T > 26 aT < 30, T w (26, +2.0))... 


4.2 Cat and mouse race 

We consider the cat and mouse problem proposed in 0 (see Figure [5] for the corresponding hybrid 
automaton). The Hy -tccp code of this model is shown in Figure[6] The positions of the cat and the mouse 
are modeled by two continuous variables, called C and M respectively. A mouse starts running from the 
point of origin at a speed of 10 meters/second (change(M,0,10.0)) towards a hole that is 100 meters 
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true true 



winner loser 


Figure 5: Hybrid automata for the cat and mouse problem 


initmouse || cat || controller 
mouse 3M^change(M,0,10.0) || 

( ask(M < 50) 

+ ask(M = 50)-*■ (tell(go) || (ask(M<100) 

+ ask (M = 100) -* (tell(enrf m ) j| ask(vW« m ) -* claimPrize(...) 

+ ask(vWn c ) ->stop))))) 

cat3C^ask(go) -» (change(C,0,20.0) || 

( ask(C < 100) 

+ ask(C = 100) -> (tell (end c ) || ask(vi-/n r ) -> claimPrize(...) 

+ ask (wirim) -* stop)))) 

controller ask (end,,,) -> tell(wm m ) +ask(end c ) ->tell(wm c ) 


Figure 6: Hy -tccp model for the cat and mouse race 


away. After it has run 50 meters it sends a signal to the cat (tel I (go)) and continues its run. When the cat 
receives the signal go, it starts chasing the mouse from the point of origin at a speed of 20 meters/second 
(change(C,0,20.0)). The cat wins if it catches the mouse before it reaches the hole, otherwise it loses. 
At the end of their run, the mouse and the cat send a message to the controller (endM and endc, 
respectively), which decides non-deterministically the winner and informs of it through a signal (win m 
or win c ). The winner, at this point, can claim his prize. 

4.3 Gear shift system 

The hybrid automaton in Figure |7| represents a car gear shift system. Each location models a gear (1, 2 
or 3) and the fact that the speed is either increasing or decreasing (t or f respectively). When the speed 
increases (respectively decreases) over time and it reaches a given threshold, the current gear is changed 
to the upper (respectively lower) one. When a signal of danger (dug) is received, the system changes 
the current gear to the lower one and the speed starts decreasing. At this point, when a signal of safe 
situation (safe) is received, the system is allowed to stay in the current location as well as to increase the 
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V < 20 V <60/\ -idng V < 100 a Mng 



Figure 7: Hybrid automaton for the gear shift system 


speed. The latter case is modeled by the transitions from location 1 f to location 1 and from 2 f to 2 f. 

The Hy -tccp program modeling this system is shown in Figure [8j The stream G stores the evolution 
of the gear state. The ask statements model the five locations of the automaton of Figure [TJ i.e., the 
possible cases in which a continuous transition is performed. It is worth noting that the invariant of 
each location is modeled by the guard of the corresponding ask statement. The first three ask statements 
model the gearbox shifting automatically into a higher (respectively lower) gear if the speed V reaches 
the upper (respectively lower) threshold of the current gear. The watcher informs to the gearbox about 
the current external situation (danger or safe), through channel WG. When gearbox receives a danger 
signal dng and the speed is growing (fourth and fifth ask branches), it moves to a lower gear, and changes 
the speed flow from positive to negative by means of a change agent. Otherwise, when it receives a safety 
signal safe and the speed is decreasing (sixth and seventh ask branches), it is allowed to change the speed 
flow from negative to positive. 

5 Related Work 

In Q, lice was introduced as the first extension over continuous time of the concurrent constraint 
paradigm. Although both Hy -tccp and hex: are declarative languages with a logical nature, there are 
some important differences between them. First of all, Hy -tccp is a non-deterministic language, while 
hcc is deterministic. We believe that this is an essential feature for modeling hybrid systems, which are 
inherently non-deterministic. Hy -tccp has been defined as a modeling language for hybrid systems in 
the style of hybrid automata. This means that we aim to obtain programs with a structure similar to that 
of hybrid automata, but described in a more abstract way. The non-deterministic choice is a powerful 
construct that allows the set of all possible transitions of an hybrid automata to be expressed as a list of 
ask and ask branches. Furthermore, in hcc, the information on the value and flow of continuous variables 
is modeled as a constraint of the underlying continuous constraint system. On the contrary, in Hy -tccp, 
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init3 V, G, 1TG( tell(G = [1 t| -]) || change(y, 0,+4.0) || tell(V > 0 AV < 100) || gearbox(G, WG, V) || watcher(W'G)) 
gearbox(G, WG, V)3 G', WG'( 

ask(G = [1 t|-] aV <20)+ask(G = [2 t|-] aV<60aWG* [dng\ _])+ask(G = [3 t| -] aV< IOOaWG* [dng | .]) 

+ ask(G = [U| .] A V > 0) + ask(G = [2 || _] A V > 20) 

+ ask(G= [1 T| -] A V = 20) -*• (tell(G = [1 t| G / ]) || tell(G 7 = [2 t| -]) || change(y,_,+5.0) || gearbox(G', WG, V)) 

+ ask(G= [2 t| -] A V = 60) -*• (tell(G = [2 t| G 1 ]) || tell(G 7 = [3 t| -]) || change(V,_, +6.0) |j gearbox(G', WG, V)) 

+ ask(G= [2 || _] A V = 20) -*• (tell(G = [2 || G']) || tell(G 7 = [1 || _]) || change(V,_, -4.0) || gearbox(G', WG, V)) 

+ ask(G = [2 t| _] A WG = [ dng | .]) - ( tell(G = [2 t| G']) || tell(G' = [1 || .]) || tell(lVG = [dng \ WG']) || 

change(y,_,-4.0) || gearbox(G / , WG'. V)) 

+ ask(G= [3 t| .] /\WG= [dng | _]) -» ( tell(G= [3 t| G']) || tell(G' = [2 || .]) || te\\(WG = [dng \ WG']) || 

change(y,_,-5.0) || gearbox(G / , WG', V)) 

+ ask(G = [1 1 _] A WG = [safe | _] A V < 20) —*■ ( tell(G = [1|| G']) || tell(G' = [1 t| -]) || tell(WG = [safe \ WG']) || 

change(V,_,+4.0) || gearbox(G , 1 WG r , V)) 

+ ask(G = [2 || _] A WG = [safe \ _] aV < 60) ->■ ( tell(G = [21| G']) || tell(G' = [2 f| -]) II tell(WG = [safe \ WG']) || 

change(V,_,+5.0) || gearbox(G , ,iyG , ,y))^ 

watcher(iyG) 3 WG' ^ ask [true) 

+ ask (true) -* (tell( WG=[safe \ WG']) || watcher) WG')) 

+ ask (true) -*• (tell) WG=[dng \ WG']) || watcher)IIT/)) j 


Figure 8: Hy -tccp model for a gear shift system 
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there is a clear distinction between discrete and continuous variables. In hcc the positive information in 
the store must be transferred by using the agent hence. In contrast, in Hy -tccp the positive information 
in the discrete store is transferred automatically from one step to the next. 

In fU and 0], two process algebras for hybrid systems have been defined: Hybrid Chi and HyPa, 
respectively. The process algebra Hybrid Chi (l]| shares with uy-tccp the separation between discrete 
and continuous variables, the synchronous nature and the concept of delayable guard (corresponding 
to the suspension of the non-deterministic choice). HyPa 0 was introduced as an extension of the 
process algebra ACP. It differs from Hybrid Chi mainly in the way time-determinism is treated, and in 
the modeling of time passing. 


6 Conclusions 

In this paper we have presented Hy -tccp, an extension of tccp over continuous time with the aim of 
modeling hybrid systems in a declarative and logical way by abstracting away from all the implemen¬ 
tation details. Hy -tccp has been introduced as a synchronous and non-deterministic language defining 
computations similar to that of hybrid automata. 

Uy-tccp has several advantages that make it suitable for modeling hybrid systems. Its declarative 
nature facilitates a high level description close to that of hybrid automata. In addition, the logical nature 
of Hy -tccp eases the development of formal methods techniques for the static analysis and verification of 
hybrid systems. Furthermore, since Hy -tccp is a conservative extension of tccp, it is possible to describe 
with the same syntax concurrent, reactive and hybrid systems. 

In the future, we plan to develop a framework for the description and simulation of Hy -tccp programs. 
In this way, we will be able to model complex hybrid systems in Hy -tccp. Given the affinity of the two 
formalisms, we are interested in defining a translation rules system from Hy -tccp to hybrid automata 
and viceversa, in order to transfer verification and analysis results from one formalism to the other. 
Furthermore, we plan to use model checking and abstract interpretation techniques to verify temporal 
properties of hybrid systems written in uy-tccp (as done in |6l for SPIN and in |3l for tccp). Another 
feature we would like to explore is the adjustment of the language to make it compatible with rectangular 
hybrid automata |9l . 
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